Warning regarding known ERC-20 problems

[Dexaran]

Is your feature request related to a problem? Please describe.

ERC-20 standard has known problems i.e. lack of 'transaction handling'. OpenZeppelin confirmed that the problem is widely known and it results in impossibility of handling user errors. As the result tokens can be lost and $130,000,000 worth of tokens are lost today even though it could be easily prevented if transaction handling would be implemented.

• I first have reported this issue in 2017, there were $10,000 lost at that moment: my initial post
• Then I had a discussion with Ethereum Foundation members involved, at that time there were $13,000 lost: discussion thread
• Then I commented the final ERC-20 PR and explained this issue, there were $16,800 lost at that moment: my comment on the PR
• Then it became $1,000,000 loss in 2018: source
• Then the creator of ERC-20 said he doesn't want to use it in his new project: Fabian Vogelsteller's tweet
• Today it became $130,000,000 lost: reddit announcement
• Here is a security statement regarding this problem: statement link

Describe the solution you'd like

As ethereum.org is an informational resource I think it is critically important to highlight that using ERC-20 standard may result in a loss of funds so that developers would be aware of the risks as well as the users.

Probably it needs to be added to the Security tab: "ERC-20 token standard does not implement transaction handling, which means it is impossible to handle user mistakes. As of today (8/7/2023) $130,000,000 worth of tokens were 'permanently frozen' because of this."

Describe alternatives you've considered

Alternatively it could be described in the EIP, but it is in "final" state and it can't be changed now.

Also, it could help if someone from Ethereum Foundation could release an official statement but they didn't do it so far. The longer the problem remains silenced the more funds will be lost.

Additional context

No response

Would you like to work on this issue?

• Yes
• No

[vblackwhale]

My brother in Christ, are you ever going to get over the fact that devs do not want to use your token standard over ERC-20 ? Or are you here to try and extort the Ethereum Foundation after your attempt with OpenZeppelin failed ?

For reference: OpenZeppelin/openzeppelin-contracts#4474

[Dexaran]

I'm a security auditor and I'm here to report and solve a security issue that caused Ethereum community to lose $201,690,000 worth of tokens.

It seems I'm the only honest security auditors who dares to report an issue in the most commonly used component of the ecosystem.

[Dexaran]

@corwintines @Pandapip1 what about this?

[Pandapip1]

I do approve of adding warnings that ERC-20 is succeptible to this. I would also love warnings about the approve double spend attack and using unreasonably large approvals.

While @Dexaran is the author of a competing standard, anything that causes $200 million worth of lost funds at least deserves a mention. Even if/though @Dexaran stands to gain from public awareness, it is an issue and it is arguably underdocumented.

TL; DR: I support adding a warning.

[github-actions]

This issue is stale because it has been open 45 days with no activity.

[Pandapip1]

Any updates?

[github-actions]

This issue is stale because it has been open 45 days with no activity.

[wackerow]

#11787 has just been merged, adding a section to the /erc-20 page about this issue, and also adds a dedicate /erc-223 page. There are a few follow-up polishes to come, but going to mark this closed in the meantime. Thanks everyone!

[Dexaran]

Congrats.

@wackerow @Pandapip1 my team built a "live" losses calculator that (1) provides the info regarding the problem and (2) is able to re-calculate the actual amount of lost tokens by given addresses.

https://dexaran.github.io/erc20-losses/

Any chance it can be integrated?

[Pandapip1]

That calculator makes a few assumptions that may not necessarily hold. It should instead do contract introspection and figure out if the contract can call transfer or approve, or detect if a transfer or approval event from that contract has ever been ever done. This will remove the false positives but also find tokens stuck for other reasons.

Also, how are you figuring out the dollar value of all the stuck tokens? DExes shouldn't be used, since anyone can create a token and have full control over its value.

I think if these things can be fixed, then it would be a good resource and would be a worthy thing to upstream.

[Dexaran]

It should instead do contract introspection and figure out if the contract can call transfer or approve, or detect if a transfer or approval event from that contract has ever been ever done.

Good point. We will probably implement it in the next update (approx. mid July).

Also, how are you figuring out the dollar value of all the stuck tokens?

Currently we are pulling the prices from Coinmarketcap / Coingecko APIs at the moment of the calculation.

[Dexaran]

We will add a link to the prices API, it's already in the template

https://www.figma.com/design/jcRkikBXNpoidDDaxuolLC/%F0%9F%A7%AE-ERC-20-losses-calculator?node-id=1-2&t=RXVPSNnKMNc2CoTu-1

[Pandapip1]

Currently we are pulling the prices from Coinmarketcap / Coingecko APIs at the moment of the calculation.

Great! Just double checking.

[corwintines]

I think if we add this, we should just link out to this resource, and not integrate it specifically on ethereum.org. But open to feedback from others.